Issue in Knowing roles assigned to a user before a...

Former Member · ‎12-28-2009

Hi all,

I have assigned few roles to a user and now they need to be revoked.

I would like to know if any of the roles assigned( by me) to the user were already existing for that user, so that i won't touch those roles and can maintain the state of that user as that of earlier.

Eg: User have A,B,C,X,Y,Z and I have assigned D,E,F,X,Y,Z to him few days ago. No I need to revoke the roles of that user so that only D,E,F needs to be revoked but not X,Y,Z as they were existing from a long time.,

I have checked SUIM change documents for that particular user but it lists out the changes in terms of profiles added but not on roles added and in our system few roles don't have profiles ( used for Java development )) .

is there any table which gives us the roles assigned to a user as on a particular date.

Please help me out in finding a solution by next year...

Regards,

Kamaraj Sandeep.

Edited by: Julius Bussche on Dec 28, 2009 6:40 PM

"at the earliest" is considered rude here in these forums.

Former Member · ‎12-28-2009

Hi Kamaraj,

I guess if you have assigned all the roles on the same date then you can easily do it provided you know the date on which you have assigned these roles to the users.

Go to SUIM> BY Users> Complex selection criteria>

Enter the User Id.

Exectute

Click on the "roles assigned" tab.

Now you can see the list of roles assigned and the validity date. Also SE16 Table agr_users will also be helpful. You can also check USH* tables.

Former Member · ‎12-28-2009

Yes, this was a deficiency, as originally roles only provided access when a profile was generated for it.

The user change documents were then converted to the standard application change document concept for several reasons (including sequential numbering, new tables and fields with "parallel compatibility" required, etc.

You should be able to find your change documents using report RSUSR100N (new report which evaluated the CDHDR tables as well).

Specifically to this problem, what you can also do for those which do have profiles is to schedule report PRGN_COMPRESS_TIMES, which will assign the corresponding profile of the "nest of roles" only once if still found to be valid.

There is a limit on the number of profiles which can be assigned to a user, but not on the number of roles.

Cheers,

Julius

Former Member · ‎12-28-2009

On second thoughts:

> is there any table which gives us the roles assigned to a user as on a particular date.

If the "old" assignment was before the new concept, then you will only see your roles added.

Probably the safest route is to find the cutover date from RSUSR100N (first entry), and then work the rest out from AGR_USERS -> as suggested by Akshay.

Cheers,

Julius

Former Member · ‎12-30-2009

Hi Kamaraj,

Let me know the system on which you are working. If you have a JAVA stack in place, then you should be able to use the netweaver administrator.

Please let me know the architecture of the system you are using. ( eg, Front end : Portal, back end : ECC)

Regards,

Sneha Vyas.

Former Member · ‎12-30-2009

Hi Akshay,

Thanks for your response.

I could check the users individually based on the role assignment date and could solve the issue.I could do this as the users are of few in number to check.

I am not awre of finding them provided there ar elarge number of users to be modified.

Thanks,

Kamaraj.

Former Member · ‎12-30-2009

Hi Kamaraj,

You can do that as well with a little help of excel sheets

First step: Put all the userId in the above selection criteria you have set in SUIM. Click on "Role Assigned" tab. This will give you all the roles assigned to all the users with their proper assignment dates. Take out this data in an excel sheet.

Second step: Filter out this sheet such that you get the list of all userIDs mapped with the roles you need to delete.

Third Step: Use SU10 and perform your deletion activity.

Hope this helps.

Issue in Knowing roles assigned to a user before a particular date